This account can be used during either MDT Lite Touch deployments using MDT or Zero Touch Deployments via SCCM.
The account requires the following permissions delegated on the OU’s/domain required using the Delegation of Administration wizard or (as in this example) by directly changing the security on particular OUs within the domain.
The account SHOULD NOT be given “Domain Admins” privileges.
In this example I will use a domain account called “CM_DJ” (short for ConfigMgr Domain Join) which starts out with no special permissions other than being a member of “Domain Users”. The account should be restricted from logging into computers via a GPO using the “Allow log on locally” User Rights Assignment item.
In order to view the Security tab in Active Directory Users and Computers enable “View Advanced Features” from the view menu.
The bullet points below summarise what permissions are required during deployment activities:
- Add/Remove new computers (“Bare Metal” scenarios)
- Update existing ones (“Refresh” scenarios)
Open the security tab of the OU you want to give permissions on – this can be done at the domain level if required but for security reasons it is best to limit this to certain parts of Active Directory.
Right-Click the relevant OU and select Properties.
Navigate to the Security tab.
Click on “Advanced“.
Click on “Add” and browse to your account e.g. TESTLAB\CM_DJ (DomainName\JoinAccount)
Choose the following settings:
Choose “This object and all descendant objects”
- Create Computer Objects
- Delete Computer Objects
Click “Add” again and once more select the “JoinAccount” user.
This time, limit the “Apply Onto” scope to “Descendant Computer objects” and choose the following settings:
- Read All Properties
- Write All Properties
- Read Permissions
- Modify Permissions
- Change Password
- Reset Password
- Validated write to DNS host name
- Validated write to service principle name
Once this has been done the “JoinAccount” (in this example TESTLAB\CM_DJ) will have the required permissions to add, modify and remove computer accounts in the locations you specify and nothing over and above that.
## Edit 09/03/2017 ##
Updated to reflect the updated GUI in Windows Server 2012 and later.
## Edit 24/02/2015 ##
To automate this process, check out Johan Arwidmark’s blog where you can download a script that he and Mikael Nystrom wrote to automate the permissions required: